Configure RBAC permissions
SLO creation and management permissions are configurable through the Role-based access control (RBAC) function in Grafana Cloud. This page tells you how to configure SLO access on an organizational level, or on a user level with folder permissions.
RBAC user-based roles
You can use RBAC permissions to control which users can view, create, edit, and delete SLOs.
Basic organizational roles
The following basic roles provide access to SLO functionality:
| Basic Role | Access |
|---|---|
| Admin | View, create, edit, and delete SLOs. Can also modify organization preferences. |
| Editor | View, create, edit, and delete SLOs. |
| Viewer | View SLOs. |
| No basic role | No access to SLOs unless additional SLO roles or SLO permissions are assigned. |
These permissions apply to all SLOs in your Grafana instance.
SLO-specific roles
You can also assign SLO-specific roles to grant access independently of a user’s basic role. This is useful when you want to grant individual access to users who don’t have an Editor or Admin basic role.
| SLO Role | Access |
|---|---|
| SLO Admin | View, create, edit, and delete SLOs. Can also modify organization preferences. |
| SLO Writer | View, create, edit, and delete SLOs. |
| SLO Viewer | View SLOs. |
Configure SLO access across Grafana
To grant a user permission to view, create, update, and delete SLOs across your entire Grafana Cloud instance:
- Sign in to Grafana as an organization administrator.
- In the left navigation menu, click Administration > Users and access > Users.
- Search for the user whose permissions you want to update.
- In the Role field, assign the following roles: SLO > SLO Writer and Folders > Writer.
- Click Apply to save the changes.
Configure SLO access within folders
You can manage access to individual SLOs using folder-level permissions.
To allow a user to view, create, update, or delete SLOs within a specific folder, assign appropriate roles and configure the folderβs permissions.
You can customize access for users, service accounts, teams, and roles. For more information, see the Grant folder permissions in the Grafana administration documentation.
Note
If a folder with restricted permissions is deleted, the visibility of the SLOs contained in that folder will default to the visibility settings for the Grafana SLO folder and will be visible in the SLO Overview accordingly.
To give a user view, create, update, and delete access for only the SLOs contained in a certain folder:
- Sign in to Grafana as an organization administrator.
- In the left-side menu, click Administration > Users and access > Users.
- Search for the user whose permissions you want to edit.
- Click the user’s role and, under the Plugins section of the drowpdown, click SLO > SLO Writer.
- Click Apply to save the changes.
- Next, go to the left-side menu and click Dashboards.
- Choose the folder you want to add permissions for.
- Click Folder actions and select Manage permissions from the dropdown.
- Click Add a permission and grant the specific user Folder Edit permissions.
- The user is now able to view, create, update, and delete SLOs restricted to the chosen Folder.
RBAC permissions
Grafana SLO supports the following RBAC permissions:
| Permission | Description | Scope |
|---|---|---|
grafana-slo-app.slo:read | Read SLOs | plugins:id:grafana-slo-app folders:* folders:uid:* |
grafana-slo-app.slo:write | Create or update SLOs. | plugins:id:grafana-slo-app folders:* folders:uid:* |
grafana-slo-app.slo:delete | Delete SLOs. | plugins:id:grafana-slo-app folders:* folders:uid:* |
To perform specific SLO actions, users must be granted multiple permissions across the SLO app, folders, and plugin system.
| SLO action | Required permissions | Applicable scope |
|---|---|---|
| Read | grafana-slo-app.slo:read | |
| plugins.app:access | plugins:id:grafana-slo-app | |
| folders:read | folders:*, folders:uid:* | |
| Create or Update | ||
| grafana-slo-app.slo:write | ||
| plugins.app:access | plugins:id:grafana-slo-app | |
| folders:read | folders:*, folders:uid:* | |
| folders:write | folders:*, folders:uid:* | |
| Delete | ||
| grafana-slo-app.slo:delete | ||
| plugins.app:access | plugins:id:grafana-slo-app | |
| folders:read | folders:*, folders:uid:* | |
| folders:write | folders:*, folders:uid:* |
The SLO Writer and SLO Admin roles include all permissions required to manage SLOs. The SLO Reader role includes read-only permissions.
Was this page helpful?
Related resources from Grafana Labs
